CVE Daily
← All tags

Tag: Apache Server

All CVEs associated with "Apache Server". Page 1/1 • 111 CVEs.

CVEs tagged with this topic. Filters apply to the whole list (loaded from JSON).

CVSS ≥ 0.0
2025-08-18
High

CVE-2025-53192

** UNSUPPORTED WHEN ASSIGNED ** Improper Neutralization of Expression/Command Delimiters vulnerability in Apache Commons OGNL. This issue affects Apache Commons OGNL: all versions. When using the…

CVSS: 8.8 CWE: CWE-146
Read more
Medium

CVE-2025-41242

Spring Framework MVC applications can be vulnerable to a “Path Traversal Vulnerability” when deployed on a non-compliant Servlet container. An application can be vulnerable when all the following ar…

CVSS: 5.9 CWE: N/A
Read more
2025-08-15
Medium

CVE-2025-54466

Improper Control of Generation of Code ('Code Injection') vulnerability leading to a possible RCE in Apache OFBiz scrum plugin. This issue affects Apache OFBiz: before 24.09.02 only when the scrum p…

CVSS: 6.3 CWE: CWE-94
Read more
2025-08-14
Medium

CVE-2025-55675

Apache Superset contains an improper access control vulnerability in its /explore endpoint. A missing authorization check allows an authenticated user to discover metadata about datasources they do n…

CVSS: 6.5 CWE: CWE-285
Read more
Medium

CVE-2025-55674

A bypass of the DISALLOWED_SQL_FUNCTIONS security feature in Apache Superset allows for the execution of blocked SQL functions. An attacker can use a special inline block to circumvent the denylist.…

CVSS: 6.5 CWE: CWE-89
Read more
Medium

CVE-2025-55673

When a guest user accesses a chart in Apache Superset, the API response from the /chart/data endpoint includes a query field in its payload. This field contains the underlying query, which improperly…

CVSS: 4.3 CWE: CWE-200
Read more
Medium

CVE-2025-55672

A stored Cross-Site Scripting (XSS) vulnerability exists in Apache Superset's chart visualization. An authenticated user with permissions to edit charts can inject a malicious payload into a column's…

CVSS: 5.4 CWE: CWE-80
Read more
High

CVE-2025-54472

Unlimited memory allocation in redis protocol parser in Apache bRPC (all versions < 1.14.1) on all platforms allows attackers to crash the service via network. Root Cause: In the bRPC Redis protoc…

CVSS: 7.5 CWE: CWE-190
Read more
2025-08-13
Medium

CVE-2025-55668

Session Fixation vulnerability in Apache Tomcat via rewrite valve. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.7, from 10.1.0-M1 through 10.1.41, from 9.0.0.M1 through 9.0.105. Old…

CVSS: 6.5 CWE: CWE-384
Read more
High

CVE-2025-48989

Improper Resource Shutdown or Release vulnerability in Apache Tomcat made Tomcat vulnerable to the made you reset attack. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.9, from 10.1.0…

CVSS: 7.5 CWE: CWE-404
Read more
2025-08-08
Critical

CVE-2025-53606

Deserialization of Untrusted Data vulnerability in Apache Seata (incubating). This issue affects Apache Seata (incubating): 2.4.0. Users are recommended to upgrade to version 2.5.0, which fixes the…

CVSS: 9.8 CWE: CWE-502
Read more
Critical

CVE-2025-48913

If untrusted users are allowed to configure JMS for Apache CXF, previously they could use RMI or LDAP URLs, potentially leading to code execution capabilities. This interface is now restricted to re…

CVSS: 9.8 CWE: CWE-20
Read more
2025-08-06
Medium

CVE-2025-54571

ModSecurity is an open source, cross platform web application firewall (WAF) engine for Apache, IIS and Nginx. In versions 2.9.11 and below, an attacker can override the HTTP response’s Content-Type,…

CVSS: 6.9 CWE: CWE-252
Read more
2025-08-03
Medium

CVE-2024-51775

Missing Origin Validation in WebSockets vulnerability in Apache Zeppelin. The attacker could access the Zeppelin server from another origin without any restriction, and get internal information abou…

CVSS: 5.3 CWE: CWE-1385
Read more
Medium

CVE-2024-52279

Improper Input Validation vulnerability in Apache Zeppelin. The fix for JDBC URL validation in CVE-2024-31864 did not account for URL encoded input. This issue affects Apache Zeppelin: from 0.11.1 b…

CVSS: 5.3 CWE: CWE-20
Read more
Medium

CVE-2024-41177

Incomplete Blacklist to Cross-Site Scripting vulnerability in Apache Zeppelin. This issue affects Apache Zeppelin: before 0.12.0. Users are recommended to upgrade to version 0.12.0, which fixes the…

CVSS: 6.1 CWE: CWE-79
Read more
2025-08-01
High

CVE-2012-10022

Kloxo versions 6.1.12 and earlier contain two setuid root binaries—lxsuexec and lxrestart—that allow local privilege escalation from uid 48. The lxsuexec binary performs a uid check and permits execu…

CVSS: 8.5 CWE: CWE-269
Read more
2025-07-31
Medium

CVE-2025-24854

A carefully crafted request using the Image plugin could trigger an XSS vulnerability on Apache JSPWiki, which could allow the attacker to execute javascript in the victim's browser and get some se…

CVSS: 6.1 CWE: CWE-79
Read more
High

CVE-2025-24853

A carefully crafted request when creating a header link using the wiki markup syntax, which could allow the attacker to execute javascript in the victim's browser and get some sensitive information…

CVSS: 7.5 CWE: CWE-79
Read more
2025-07-30
Medium

CVE-2025-54656

** UNSUPPORTED WHEN ASSIGNED ** Improper Output Neutralization for Logs vulnerability in Apache Struts. This issue affects Apache Struts Extras: before 2. When using LookupDispatchAction, in some c…

CVSS: 6.5 CWE: CWE-117
Read more
2025-07-26
Critical

CVE-2025-54415

dag-factory is a library for Apache Airflow® to construct DAGs declaratively via configuration files. In versions 0.23.0a8 and below, a high-severity vulnerability has been identified in the cicd.yml…

CVSS: 9.1 CWE: CWE-78
Read more
2025-07-25
High

CVE-2016-15046

A client-side remote code execution vulnerability exists in Hanwha Techwin Smart Security Manager (SSM) versions 1.32 and 1.4, due to improper restrictions on the PUT method exposed by the bundled Ap…

CVSS: 8.6 CWE: CWE-306
Read more
2025-07-23
Medium

CVE-2025-54090

A bug in Apache HTTP Server 2.4.64 results in all "RewriteCond expr ..." tests evaluating as "true". Users are recommended to upgrade to version 2.4.65, which fixes the issue.

CVSS: 6.3 CWE: CWE-253
Read more
2025-07-21
High

CVE-2025-50151

File access paths in configuration files uploaded by users with administrator access are not validated. This issue affects Apache Jena version up to 5.4.0. Users are recommended to upgrade to versi…

CVSS: 8.8 CWE: CWE-20
Read more
High

CVE-2025-49656

Users with administrator access can create databases files outside the files area of the Fuseki server. This issue affects Apache Jena version up to 5.4.0. Users are recommended to upgrade to versi…

CVSS: 7.5 CWE: CWE-22
Read more
2025-07-17
Medium

CVE-2025-54064

Rucio is a software framework that provides functionality to organize, manage, and access large volumes of scientific data using customizable policies. The common Rucio helm-charts for the `rucio-ser…

CVSS: 6.9 CWE: CWE-532
Read more
2025-07-15
Medium

CVE-2025-48795

Apache CXF stores large stream based messages as temporary files on the local filesystem. A bug was introduced which means that the entire temporary file is read into memory and then logged. An attac…

CVSS: 5.6 CWE: CWE-400
Read more
2025-07-14
High

CVE-2025-53689

Blind XXE Vulnerabilities in jackrabbit-spi-commons and jackrabbit-core in Apache Jackrabbit < 2.23.2 due to usage of an unsecured document build to load privileges. Users are recommended to upgrade…

CVSS: 8.8 CWE: CWE-611
Read more
2025-07-12
High

CVE-2024-41169

The attacker can use the raft server protocol in an unauthenticated way. The attacker can see the server's resources, including directories and files. This issue affects Apache Zeppelin: from 0.10.1…

CVSS: 7.5 CWE: CWE-664
Read more
2025-07-11
Medium

CVE-2025-48924

Uncontrolled Recursion vulnerability in Apache Commons Lang. This issue affects Apache Commons Lang: Starting with commons-lang:commons-lang 2.0 to 2.6, and, from org.apache.commons:commons-lang3 3.…

CVSS: 5.3 CWE: CWE-674
Read more
2025-07-10
High

CVE-2025-53506

Uncontrolled Resource Consumption vulnerability in Apache Tomcat if an HTTP/2 client did not acknowledge the initial settings frame that reduces the maximum permitted concurrent streams. This issue…

CVSS: 7.5 CWE: CWE-400
Read more
High

CVE-2025-52520

For some unlikely configurations of multipart upload, an Integer Overflow vulnerability in Apache Tomcat could lead to a DoS via bypassing of size limits. This issue affects Apache Tomcat: from 11.0…

CVSS: 7.5 CWE: CWE-190
Read more
High

CVE-2025-52434

Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') vulnerability in Apache Tomcat when using the APR/Native connector. This was particularly noticeable with c…

CVSS: 7.5 CWE: CWE-362
Read more
High

CVE-2025-53020

Late Release of Memory after Effective Lifetime vulnerability in Apache HTTP Server. This issue affects Apache HTTP Server: from 2.4.17 up to 2.4.63. Users are recommended to upgrade to version 2.4…

CVSS: 7.5 CWE: CWE-401
Read more
High

CVE-2025-49812

In some mod_ssl configurations on Apache HTTP Server versions through to 2.4.63, an HTTP desynchronisation attack allows a man-in-the-middle attacker to hijack an HTTP session via a TLS upgrade. Onl…

CVSS: 7.4 CWE: CWE-287
Read more
High

CVE-2025-49630

In certain proxy configurations, a denial of service attack against Apache HTTP Server versions 2.4.26 through to 2.4.63 can be triggered by untrusted clients causing an assertion in mod_proxy_http2.…

CVSS: 7.5 CWE: CWE-617
Read more
Critical

CVE-2025-23048

In some mod_ssl configurations on Apache HTTP Server 2.4.35 through to 2.4.63, an access control bypass by trusted clients is possible using TLS 1.3 session resumption. Configurations are affected w…

CVSS: 9.1 CWE: CWE-284
Read more
High

CVE-2024-47252

Insufficient escaping of user-supplied data in mod_ssl in Apache HTTP Server 2.4.63 and earlier allows an untrusted SSL/TLS client to insert escape characters into log files in some configurations.…

CVSS: 7.5 CWE: CWE-150
Read more
High

CVE-2024-43394

Server-Side Request Forgery (SSRF) in Apache HTTP Server on Windows allows to potentially leak NTLM hashes to a malicious server via  mod_rewrite or apache expressions that pass unvalidated request i…

CVSS: 7.5 CWE: CWE-918
Read more
High

CVE-2024-43204

SSRF in Apache HTTP Server with mod_proxy loaded allows an attacker to send outbound proxy requests to a URL controlled by the attacker.  Requires an unlikely configuration where mod_headers is confi…

CVSS: 7.5 CWE: CWE-918
Read more
High

CVE-2024-42516

HTTP response splitting in the core of Apache HTTP Server allows an attacker who can manipulate the Content-Type response headers of applications hosted or proxied by the server can split the HTTP re…

CVSS: 7.5 CWE: CWE-20
Read more
2025-07-06
High

CVE-2025-27446

Incorrect Permission Assignment for Critical Resource vulnerability in Apache APISIX(java-plugin-runner). Local listening file permissions in APISIX plugin runner allow a local attacker to elevate p…

CVSS: 7.8 CWE: CWE-732
Read more
2025-06-26
Critical

CVE-2014-0468

Vulnerability in fusionforge in the shipped Apache configuration, where the web server may execute scripts that the users would have uploaded in their raw SCM repositories (SVN, Git, Bzr...). This…

CVSS: 9.8 CWE: CWE-434
Read more
2025-06-17
High

CVE-2025-3515

The Drag and Drop Multiple File Upload for Contact Form 7 plugin for WordPress is vulnerable to arbitrary file uploads due to insufficient file type validation in all versions up to, and including, 1…

CVSS: 8.1 CWE: CWE-434
Read more
2025-06-16
High

CVE-2025-49125

Authentication Bypass Using an Alternate Path or Channel vulnerability in Apache Tomcat.  When using PreResources or PostResources mounted other than at the root of the web application, it was possib…

CVSS: 7.5 CWE: CWE-288
Read more
High

CVE-2025-49124

Untrusted Search Path vulnerability in Apache Tomcat installer for Windows. During installation, the Tomcat installer for Windows used icacls.exe without specifying a full path. This issue affects A…

CVSS: 8.4 CWE: CWE-426
Read more
High

CVE-2025-48988

Allocation of Resources Without Limits or Throttling vulnerability in Apache Tomcat. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.7, from 10.1.0-M1 through 10.1.41, from 9.0.0.M1 th…

CVSS: 7.5 CWE: CWE-770
Read more
High

CVE-2025-48976

Allocation of resources for multipart headers with insufficient limits enabled a DoS vulnerability in Apache Commons FileUpload. This issue affects Apache Commons FileUpload: from 1.0 before 1.6; fr…

CVSS: 7.5 CWE: CWE-770
Read more
2025-05-29
High

CVE-2025-46701

Improper Handling of Case Sensitivity vulnerability in Apache Tomcat's GCI servlet allows security constraint bypass of security constraints that apply to the pathInfo component of a URI mapped to th…

CVSS: 7.3 CWE: CWE-178
Read more
2025-05-14
Critical

CVE-2025-47436

Heap-based Buffer Overflow vulnerability in Apache ORC. A vulnerability has been identified in the ORC C++ LZO decompression logic, where specially crafted malformed ORC files can cause the decompre…

CVSS: 9.8 CWE: CWE-122
Read more
2025-05-13
High

CVE-2025-27696

Improper Authorization vulnerability in Apache Superset allows ownership takeover of dashboards, charts or datasets by authenticated users with read permissions. This issue affects Apache Superset:…

CVSS: 8.8 CWE: CWE-285
Read more
2025-05-09
Medium

CVE-2025-46392

Uncontrolled Resource Consumption vulnerability in Apache Commons Configuration 1.x. There are a number of issues in Apache Commons Configuration 1.x that allow excessive resource consumption when l…

CVSS: 6.5 CWE: CWE-400
Read more
2025-05-07
High

CVE-2025-27533

Memory Allocation with Excessive Size Value vulnerability in Apache ActiveMQ. During unmarshalling of OpenWire commands the size value of buffers was not properly validated which could lead to exces…

CVSS: 7.5 CWE: CWE-789
Read more
2025-04-29
High

CVE-2025-3891

A flaw was found in the mod_auth_openidc module for Apache httpd. This flaw allows a remote, unauthenticated attacker to trigger a denial of service by sending an empty POST request when the OIDCPres…

CVSS: 7.5 CWE: CWE-248
Read more
2025-04-28
Critical

CVE-2025-31651

Improper Neutralization of Escape, Meta, or Control Sequences vulnerability in Apache Tomcat. For a subset of unlikely rewrite rule configurations, it was possible for a specially crafted request to…

CVSS: 9.8 CWE: CWE-116
Read more
High

CVE-2025-31650

Improper Input Validation vulnerability in Apache Tomcat. Incorrect error handling for some invalid HTTP priority headers resulted in incomplete clean-up of the failed request which created a memory…

CVSS: 7.5 CWE: CWE-459
Read more
2025-04-24
High

CVE-2025-27820

A bug in PSL validation logic in Apache HttpClient 5.4.x disables domain checks, affecting cookie management and host name verification. Discovered by the Apache HttpClient team. Fixed in the 5.4.3 r…

CVSS: 7.5 CWE: CWE-295
Read more
2025-04-09
Medium

CVE-2025-27391

Insertion of Sensitive Information into Log File vulnerability in Apache ActiveMQ Artemis. All the values of the broker properties are logged when the org.apache.activemq.artemis.core.config.impl.Con…

CVSS: 6.5 CWE: CWE-532
Read more
Medium

CVE-2025-31672

Improper Input Validation vulnerability in Apache POI. The issue affects the parsing of OOXML format files like xlsx, docx and pptx. These file formats are basically zip files and it is possible for…

CVSS: 5.3 CWE: CWE-20
Read more
Medium

CVE-2025-30677

Apache Pulsar contains multiple connectors for integrating with Apache Kafka. The Pulsar IO Apache Kafka Source Connector, Sink Connector, and Kafka Connect Adaptor Sink Connector log sensitive confi…

CVSS: 6.5 CWE: CWE-532
Read more
2025-04-01
Critical

CVE-2025-30065

Schema parsing in the parquet-avro module of Apache Parquet 1.15.0 and previous versions allows bad actors to execute arbitrary code Users are recommended to upgrade to version 1.15.1, which fixes…

CVSS: 9.8 CWE: CWE-502
Read more
Medium

CVE-2025-27427

A vulnerability exists in Apache ActiveMQ Artemis whereby a user with the createDurableQueue or createNonDurableQueue permission on an address can augment the routing-type supported by that address e…

CVSS: 4.3 CWE: CWE-863
Read more
2025-03-25
Medium

CVE-2024-53679

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Apache VCL in the User Lookup form. A user with sufficient rights to be able to view this part of…

CVSS: 5.4 CWE: CWE-79
Read more
High

CVE-2024-53678

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Apache VCL. Users can modify form data submitted when requesting a new Block Allocation such that…

CVSS: 8.8 CWE: CWE-89
Read more
2025-03-23
Medium

CVE-2025-30474

Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Apache Commons VFS. The FtpFileObject class can throw an exception when a file is not found, revealing the original URI in…

CVSS: 5.0 CWE: CWE-200
Read more
2025-03-20
Medium

CVE-2025-27888

Severity: medium (5.8) / important Server-Side Request Forgery (SSRF), Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting'), URL Redirection to Untrusted Site ('Open…

CVSS: 5.4 CWE: CWE-79
Read more
2025-03-12
Medium

CVE-2025-27017

Apache NiFi 1.13.0 through 2.2.0 includes the username and password used to authenticate with MongoDB in the NiFi provenance events that MongoDB components generate during processing. An authorized u…

CVSS: 6.5 CWE: CWE-538
Read more
Medium

CVE-2025-27867

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Apache Felix HTTP Webconsole Plugin. This issue affects Apache Felix HTTP Webconsole Plugin: fro…

CVSS: 5.6 CWE: CWE-79
Read more
2025-03-10
Critical

CVE-2025-24813

Path Equivalence: 'file.Name' (Internal Dot) leading to Remote Code Execution and/or Information disclosure and/or malicious content added to uploaded files via write enabled Default Servlet in Apach…

CVSS: 9.8 CWE: CWE-44
Read more
2025-02-14
Critical

CVE-2024-56180

CWE-502 Deserialization of Untrusted Data at the eventmesh-meta-raft plugin module in Apache EventMesh master branch without release version on windows\linux\mac os e.g. platforms allows attackers to…

CVSS: 9.8 CWE: CWE-502
Read more
Critical

CVE-2024-52577

In Apache Ignite versions from 2.6.0 and before 2.17.0, configured Class Serialization Filters are ignored for some Ignite endpoints. The vulnerability could be exploited if an attacker manually craf…

CVSS: 9.0 CWE: CWE-502
Read more
2025-02-13
High

CVE-2024-46910

An authenticated user can perform XSS and potentially impersonate another user. This issue affects Apache Atlas versions 2.3.0 and earlier. Users are recommended to upgrade to version 2.4.0, which…

CVSS: 7.1 CWE: CWE-80
Read more
2025-02-10
Medium

CVE-2025-25247

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Apache Felix Webconsole. This issue affects Apache Felix Webconsole 4.x up to 4.9.8 and 5.x up t…

CVSS: 6.1 CWE: CWE-79
Read more
2025-02-07
Medium

CVE-2025-25069

A Cross-Protocol Scripting vulnerability is found in Apache Kvrocks. Since Kvrocks didn't detect if "Host:" or "POST" appears in RESP requests, a valid HTTP request can also be sent to Kvrocks as a…

CVSS: 6.5 CWE: CWE-115
Read more
2025-02-06
High

CVE-2022-31764

The Lite UI of Apache ShardingSphere ElasticJob-UI allows an attacker to perform RCE by constructing a special JDBC URL of H2 database. This issue affects Apache ShardingSphere ElasticJob-UI version…

CVSS: 8.5 CWE: CWE-913
Read more
High

CVE-2024-37358

Similarly to CVE-2024-34055, Apache James is vulnerable to denial of service through the abuse of IMAP literals from both authenticated and unauthenticated users, which could be used to cause unbound…

CVSS: 8.6 CWE: CWE-20
Read more
2025-02-04
Medium

CVE-2024-27137

In Apache Cassandra it is possible for a local attacker without access to the Apache Cassandra process or configuration files to manipulate the RMI registry to perform a man-in-the-middle attack an…

CVSS: 5.3 CWE: CWE-287
Read more
High

CVE-2025-23015

Privilege Defined With Unsafe Actions vulnerability in Apache Cassandra. An user with MODIFY permission ON ALL KEYSPACES can escalate privileges to superuser within a targeted Cassandra cluster via u…

CVSS: 8.8 CWE: CWE-267
Read more
2025-01-28
Medium

CVE-2024-23953

Use of Arrays.equals() in LlapSignerImpl in Apache Hive to compare message signatures allows attacker to forge a valid signature for an arbitrary message byte by byte. The attacker should be an autho…

CVSS: 6.5 CWE: CWE-208
Read more
2025-01-27
High

CVE-2025-24783

** UNSUPPORTED WHEN ASSIGNED ** Incorrect Usage of Seeds in Pseudo-Random Number Generator (PRNG) vulnerability in Apache Cocoon. This issue affects Apache Cocoon: all versions. When a continuation…

CVSS: 7.5 CWE: CWE-335
Read more
2024-12-23
Medium

CVE-2024-23945

Signing cookies is an application security feature that adds a digital signature to cookie data to verify its authenticity and integrity. The signature helps prevent malicious actors from modifying t…

CVSS: 5.9 CWE: CWE-209
Read more
2024-12-20
Critical

CVE-2024-56337

Time-of-check Time-of-use (TOCTOU) Race Condition vulnerability in Apache Tomcat. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.1, from 10.1.0-M1 through 10.1.33, from 9.0.0.M1 throu…

CVSS: 9.8 CWE: CWE-367
Read more
2024-12-17
Medium

CVE-2024-54677

Uncontrolled Resource Consumption vulnerability in the examples web application provided with Apache Tomcat leads to denial of service. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.…

CVSS: 5.3 CWE: CWE-400
Read more
Critical

CVE-2024-50379

Time-of-check Time-of-use (TOCTOU) Race Condition vulnerability during JSP compilation in Apache Tomcat permits an RCE on case insensitive file systems when the default servlet is enabled for write (…

CVSS: 9.8 CWE: CWE-367
Read more
2024-12-11
Critical

CVE-2024-53677

File upload logic in Apache Struts is flawed. An attacker can manipulate file upload params to enable paths traversal and under some circumstances this can lead to uploading a malicious file which ca…

CVSS: 9.8 CWE: CWE-434
Read more
2024-12-09
Critical

CVE-2024-53947

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Apache Superset. Specifically, certain engine-specific functions are not checked, which allows at…

CVSS: 9.8 CWE: CWE-89
Read more
Low

CVE-2024-46901

Insufficient validation of filenames against control characters in Apache Subversion repositories served via mod_dav_svn allows authenticated users with commit access to commit a corrupted revision,…

CVSS: 3.1 CWE: CWE-20
Read more
2024-12-05
High

CVE-2022-41137

Apache Hive Metastore (HMS) uses SerializationUtilities#deserializeObjectWithTypeInformation method when filtering and fetching partitions that is unsafe and can lead to Remote Code Execution (RCE) s…

CVSS: 8.3 CWE: CWE-502
Read more
2024-11-28
Critical

CVE-2024-52338

Deserialization of untrusted data in IPC and Parquet readers in the Apache Arrow R package versions 4.0.0 through 16.1.0 allows arbitrary code execution. An application is vulnerable if it reads Arr…

CVSS: 9.8 CWE: CWE-502
Read more
2024-11-19
Medium

CVE-2024-31141

Files or Directories Accessible to External Parties, Improper Privilege Management vulnerability in Apache Kafka Clients. Apache Kafka Clients accept configuration data for customizing behavior, and…

CVSS: 6.5 CWE: CWE-269
Read more
2024-11-18
Critical

CVE-2024-52316

Unchecked Error Condition vulnerability in Apache Tomcat. If Tomcat is configured to use a custom Jakarta Authentication (formerly JASPIC) ServerAuthContext component which may throw an exception dur…

CVSS: 9.8 CWE: CWE-391
Read more
2024-11-07
High

CVE-2024-38286

Allocation of Resources Without Limits or Throttling vulnerability in Apache Tomcat. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.0-M20, from 10.1.0-M1 through 10.1.24, from 9.0.13…

CVSS: 8.6 CWE: CWE-770
Read more
2024-10-09
High

CVE-2024-28168

Improper Restriction of XML External Entity Reference ('XXE') vulnerability in Apache XML Graphics FOP. This issue affects Apache XML Graphics FOP: 2.9. Users are recommended to upgrade to version…

CVSS: 7.5 CWE: CWE-611
Read more
2024-07-03
High

CVE-2024-34750

Improper Handling of Exceptional Conditions, Uncontrolled Resource Consumption vulnerability in Apache Tomcat. When processing an HTTP/2 stream, Tomcat did not handle some cases of excessive HTTP hea…

CVSS: 7.5 CWE: CWE-400
Read more
2024-06-24
Critical

CVE-2024-29868

Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG) vulnerability in Apache StreamPipes user self-registration and password recovery mechanism. This allows an attacker to guess the re…

CVSS: 9.1 CWE: CWE-338
Read more
2024-06-12
High

CVE-2024-36263

** UNSUPPORTED WHEN ASSIGNED ** Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Apache Submarine Server Core. This issue affects Apache Submarin…

CVSS: 8.1 CWE: CWE-89
Read more
2024-06-10
High

CVE-2024-36471

Import functionality is vulnerable to DNS rebinding attacks between verification and processing of the URL.  Project administrators can run these imports, which could cause Allura to read from intern…

CVSS: 7.5 CWE: CWE-20
Read more
2024-03-19
Medium

CVE-2024-24683

Improper Input Validation vulnerability in Apache Hop Engine.This issue affects Apache Hop Engine: before 2.8.0. Users are recommended to upgrade to version 2.8.0, which fixes the issue. When Hop S…

CVSS: 6.5 CWE: CWE-20
Read more
2024-03-13
Medium

CVE-2024-23672

Denial of Service via incomplete cleanup vulnerability in Apache Tomcat. It was possible for WebSocket clients to keep WebSocket connections open leading to increased resource consumption.This issue…

CVSS: 6.3 CWE: CWE-459
Read more
2023-11-28
High

CVE-2023-46589

Improper Input Validation vulnerability in Apache Tomcat.Tomcat from 11.0.0-M1 through 11.0.0-M10, from 10.1.0-M1 through 10.1.15, from 9.0.0-M1 through 9.0.82 and from 8.5.0 through 8.5.95 did not c…

CVSS: 7.5 CWE: CWE-444
Read more
2023-10-23
High

CVE-2023-31122

Out-of-bounds Read vulnerability in mod_macro of Apache HTTP Server.This issue affects Apache HTTP Server: through 2.4.57.

CVSS: 7.5 CWE: CWE-125
Read more
2023-10-10
Medium

CVE-2023-45648

Improper Input Validation vulnerability in Apache Tomcat.Tomcat from 11.0.0-M1 through 11.0.0-M11, from 10.1.0-M1 through 10.1.13, from 9.0.0-M1 through 9.0.81 and from 8.5.0 through 8.5.93 did not c…

CVSS: 5.3 CWE: CWE-20
Read more
Medium

CVE-2023-42795

Incomplete Cleanup vulnerability in Apache Tomcat.When recycling various internal objects in Apache Tomcat from 11.0.0-M1 through 11.0.0-M11, from 10.1.0-M1 through 10.1.13, from 9.0.0-M1 through 9.0…

CVSS: 5.3 CWE: CWE-459
Read more
2023-08-25
Medium

CVE-2023-41080

URL Redirection to Untrusted Site ('Open Redirect') vulnerability in FORM authentication feature Apache Tomcat.This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.0-M10, from 10.1.0-M1 thro…

CVSS: 6.1 CWE: CWE-601
Read more
2023-03-22
Medium

CVE-2023-28708

When using the RemoteIpFilter with requests received from a reverse proxy via HTTP that include the X-Forwarded-Proto header set to https, session cookies created by Apache Tomcat 11.0.0-M1 to…

CVSS: 4.3 CWE: CWE-523
Read more
2023-02-20
Critical

CVE-2023-25613

An LDAP Injection vulnerability exists in the LdapIdentityBackend of Apache Kerby before 2.0.3.

CVSS: 9.8 CWE: CWE-74
Read more
2022-07-18
High

CVE-2022-33891

The Apache Spark UI offers the possibility to enable ACLs via the configuration option spark.acls.enable. With an authentication filter, this checks whether a user has access permissions to view or m…

CVSS: 8.8 CWE: CWE-78
Read more
2021-12-20
High

CVE-2021-41561

Improper Input Validation vulnerability in Parquet-MR of Apache Parquet allows an attacker to DoS by malicious Parquet files. This issue affects Apache Parquet-MR version 1.9.0 and later versions.

CVSS: 7.5 CWE: CWE-20
Read more
2021-12-10
Critical

CVE-2021-44228

Apache Log4j2 2.0-beta9 through 2.15.0 (excluding security releases 2.12.2, 2.12.3, and 2.3.1) JNDI features used in configuration, log messages, and parameters do not protect against attacker contro…

CVSS: 10.0 CWE: CWE-20
Read more
2021-12-08
Critical

CVE-2021-20038

A Stack-based buffer overflow vulnerability in SMA100 Apache httpd server's mod_cgi module environment variables allows a remote unauthenticated attacker to potentially execute code as a 'nobody' use…

CVSS: 9.8 CWE: CWE-121
Read more
2010-03-05
Critical

CVE-2010-0425

modules/arch/win32/mod_isapi.c in mod_isapi in the Apache HTTP Server 2.0.37 through 2.0.63, 2.2.0 through 2.2.14, and 2.3.x before 2.3.7, when running on Windows, does not ensure that request proces…

CVSS: 10.0 CWE: N/A
Read more